Metersphere
CVE-2023-25814
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
metersphere is an open source continuous testing platform. In versions prior to 2.7.1 a user who has permission to create a resource file through UI operations is able to append a path to their submission query which will be read by the system and displayed to the user. This allows a users of the system to read arbitrary files on the filesystem of the server so long as the server process itself has permission to read the requested files. This issue has been addressed in version 2.7.1. All users are advised to upgrade. There are no known workarounds for this issue.
AnalysisAI
metersphere is an open source continuous testing platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. metersphere is an open source continuous testing platform. In versions prior to 2.7.1 a user who has permission to create a resource file through UI operations is able to append a path to their submission query which will be read by the system and displayed to the user. This allows a users of the system to read arbitrary files on the filesystem of the server so long as the server process itself has permission to read the requested files. This issue has been addressed in version 2.7.1. All users are advised to upgrade. There are no known workarounds for this issue. Affected products include: Metersphere. Version information: prior to 2.7.1.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.
More in Metersphere
View allMetersphere is an opensource testing framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo
Metersphere v1.20.20-lts-79d354a6 is vulnerable to Remote Command Execution. Rated critical severity (CVSS 9.8), this vu
Metersphere is an open source continuous testing platform. Rated high severity (CVSS 8.8), this vulnerability is remotel
MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testi
MeterSphere is a one-stop open source continuous testing platform. Rated high severity (CVSS 8.1), this vulnerability is
MeterSphere is an open-source continuous testing platform. Rated high severity (CVSS 7.5), this vulnerability is remotel
metersphere is an open source continuous testing platform. Rated high severity (CVSS 7.5), this vulnerability is remotel
MeterSphere is an open source continuous testing platform. Rated medium severity (CVSS 6.5), this vulnerability is remot
MeterSphere is an open source continuous testing platform. Rated medium severity (CVSS 6.5), this vulnerability is remot
MeterSphere is an open source continuous testing platform. Rated medium severity (CVSS 6.1), this vulnerability is remot
MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testi
CVE-2025-53639 is a critical SQL injection vulnerability in MeterSphere's API sorting functionality where the sortField
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today